Support Bearer Tokens for authenticating instead of using a token in basic auth · Graylog2/graylog2-server#5167

(1 comment) (1 reaction) (0 assignees)Java (6,945 stars) (1,032 forks)batch import

featuregood first issuetriaged

Description

Expected Behavior

When a user creates a token which can be used for authentication, it should be accepted by the server when passed as part of a Authentication: Bearer <Token> header.

Current Behavior

For token authentication, the server expects basic auth with the username set to the token and password to token. This is rather proprietary. Additionally, some systems which are otherwise capable of speaking to Graylog (e.g. the telegraf prometheus plugin speaking to the Graylog prometheus metrics reporter do not work due to the nonacceptance of Bearer Tokens.

Possible Solution

Steps to Reproduce (for bugs)

Context

Your Environment

Graylog Version:
Elasticsearch Version:
MongoDB Version:
Operating System:
Browser version:

Contributor guide

Tech stack: java
Domain: authentication
Issue type: feature
Difficulty: 3
Estimated time: half day
Activity status: stale
Clarity: mostly clear
Prerequisites: JavaAuthentication conceptsGraylog server codebase
Newbie friendliness: 50
Research direction: Look at the existing authentication flow in the Graylog server codebase, particularly how token based auth is implemented (likely in classes like `TokenAuthService` or `AuthenticationFilter`). The current behavior uses Basic Auth with token as username and 'token' as password. The goal is to also accept the token in the `Authorization: Bearer <Token>` header. You may need to modify the authentication filter to check for Bearer token, parse it, and validate against stored tokens. Check the issue comments for any additional context or rejected approaches. No linked PRs exist, so you'll need to research how other plugins (e.g., Prometheus reporter) authenticate. Ensure backward compatibility with existing Basic Auth method.